Aethra Vega X3 Use And Installation Manual page 93

A second solution is the improvement of the network by the introduction of an ALG, but this is intrusive and
potentially expensive. ALGs are software packages specifically designed for firewalls from various
producers that examine every packet attempting to pass through the firewall in order to determine whether
it concerns a known protocol like H.323 or SIP. If the packet contains a known protocol, the Firewall allows
it through. However, like Proxies and MCUs that go around firewalls, ALGs also need an access policy for
firewalls and every firewall or NAT device needs up-to-date ALG software. Because new protocols are
continually being developed, ALG software must be updated frequently.
IP Voice and Video Crossing NAT and Firewall
The use of existing network infrastructures for the transmission of voice, video and data promises
interesting strategic advantages for companies of all sizes. Commonly known as "rich media
communications" or "Internet Protocol (IP) communications" these technologies for converging networks
offer new opportunities to communicate, coordinate and collaborate with customers, suppliers, commercial
partners and others all over the world.
Unfortunately, the protocols used for IP communications conflict with most of the security mechanisms for
networks (such as Firewalls and NAT), resulting in protracted or late implementation times for IP video and
voice applications.
Firewalls and NATs – How they work
In an IP network, every device is assigned a unique IP address. All computers, telephones, and
videoconference terminals have at their disposal approximately 65,000 ports for the purpose of
establishing communication channels to transmit data to other devices on the network.
Messages between IP network devices are composed of packets that contain the following information: the
IP address of the terminal that has generated the message, the port number from which the message has
been sent, the IP address of the destination terminal, the port number at the destination, and the data
being sent.
Firewalls
Companies that allow connection to the Internet by their employees typically install a firewall in order to
prevent external access of or tampering with internal data.
The firewall examines the destination IP address and port number of every packet received from outside.
Usually, firewalls are configured in such a way that if a computer from inside the firewall requests data
from a computer outside the firewall, the response packets will be allowed through from the external
computer, but only if they are sent to the IP address and port of the internal computer that generated the
request.
If the Firewall receives a packet destined for a computer that is located internally and determines that the
destination computer has not initiated any communication, the firewall discards the incoming packet.
Firewalls are nearly always configured to block all incoming traffic that has not been explicitly requested.
Internal web servers are the exception: they must be accessible from the outside. To allow this, the
network administrator configures the Firewall to let through packets destined for port 80 of the IP address
of the web server. This operation allows external users to send requests to connect to the company's web
server in order to access data on that server.
93